Since 2018, Invictus has provided cybersecurity services to a critical infrastructure entity in the United States. This customer engaged us to devise a comprehensive strategy for implementing penetration testing across their operational environment. The primary objectives were twofold: enhancing the safety of the critical services they offer to the public and ensuring compliance with regulatory mandates such as the Office of Management and Budget’s (OMB’s) continuous monitoring requirement, the Federal Information Security Management Act (FISMA), and Executive Order 13636, along with its implementation through Presidential Policy Directive (PPD-21).
The Challenge
Invictus Introduced penetration testing services into a risk-averse environment where this type of testing had not been accomplished before. Testing would need to occur only in non-operational, dedicated testing environments mimicking the operational instances. This action would enable our client to enhance its ability to mitigate, correct, and identify critical exploitable vulnerabilities throughout its environment and to increase their understanding of operational impacts to both the system and within the environment. Our eventual goal of making these testing services a normalized, non-threatening part of the routine assessments that are accomplished to strengthen its overall cybersecurity posture.
The Solution
Since 2016, Invictus has completed testing and security control assessments for both US Government and commercial clients. We assembled an initial team of specialized cybersecurity penetration testers with technology experience tailored to the initial group of technologies to be tested to assess the challenge, coordinate a testing strategy, and conduct a proof of concept test.
This approach permitted Invictus to introduce penetration testing to this client in four stages: 1) Baseline and assess current capabilities, including simulation environments, mitigation tool sets, procedures, and testing (blue, red, and penetration) capabilities; 2) Identify processes for information gathering (technical, threat, and intelligence); 3) Identify an integrated validation and penetration testing approach to achieve an aggressive, proactive penetration testing organization using industry standard tools, operational models, and information sources (including law enforcement and cyber intelligence); and 4) Implement and expand the approved enhanced testing approach for customer-specific priority systems, security initiatives to include risk mitigation capabilities, simulation and exercises, vulnerability and exploit research and discovery, as well as red and blue teaming (pre and post mitigation) when directed by the government.
The Impact
With our support, this vital component of the US critical infrastructure has seamlessly incorporated penetration testing into its tailored continuous monitoring process, Risk Management Strategy, and Security Policies fortifying its overall security posture.